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Everybody Loves 
Containers 


Portability 


Agility 


Density 


Container Components & Lifecycle 


Docker File Image Image Registry Containers 


RUN apt- "i diis unda ate 
2 HE get install -y 
Docker Engine 


ENV APACHE RUN_USER 


myApache:2.2:Latest 
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Container Platforms 


On Premise 
RED HAT . 
OPENSH IFT RM 


Service 


Cloud Q üp up 
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Amazon ECS Amazon EKS 


Azure Container Service 


ualys. 


Container Deployments 
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Use Case Container Engine 


: 5 3 Guest OS Guest OS Guest OS 

1. Shrinking infrastructure, as as = 25 
organizations continue 
migration to the cloud O Hypeniear 


2. Containers deployed within 
Virtual Machines 2 Host Operating System 


3. But organizations still have 
the overhead and costs of the 
hypervisor and virtual 
machines 


Infrastructure 


Deployment 
Scenario #2 


1. The orchestration battle ends 
with Kubernetes winning 80% 
of the market 

2. But organizations struggle to 
scale their own Kubernetes 
clusters 


Infrastructure 


Deployment 
Scenario #3 


Use Case £ | | O | 2 Q) | 
1. Container-as-a-Service and Container Container Container 
Orchestration-as-a-Service aw. 
adoption 


2. Now where do you put © 
security? @ e 


Orchestration as a Service 


Kernel 


_— | 
Infrastructure 


Container Visibility & 
Security Challenges . 


Container Lifecycle Challenges 


Container Images 


Container Registry 


la y EES > 


What's in the images? 
Vulnerabilities? 
OSS license exposure? 


Solution disruptive to my 
CI Pipeline? 


Scanning report integrated 
with bug tracking? 


Registry scanning? 
Enforce compliance? 


Vulnerability, package 
and license-based rules? 


Vulnerability impact 
notifications? 


Container Instances 
Infrastructure 


How to protect host? 


Container engine configured 
correctly? 


Container orchestration 
configured correctly? 


Runtime app visibility? 


Runtime app protection? 
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Qualys Container Security 


Oualys Container Security 


Container Images 


Container Registry 


E y 


Software Composition 


Vulnerability Analysis 
OSS License Analysis 


Integration with CI 
Pipelines 


Bug Tracking Integration 


Registry Scanning 
Compliance Controls 
Vulnerability, Package 


and License-based Rules 


Real-time Vulnerability 
Impact Notifications 
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Container Instances 
Infrastructure 


Host Protection 


Container Engine 
Benchmarking 


Container Orchestration 
Benchmarking 


Deep Runtime Visibility 


Runtime Protection 


Oualys Container Security 


Key Uses 


Visibility into your 
container projects 


Identify Hosts with Containers. Inventory of 
images, containers. Search images with 
vulnerabilities, labels, tags, packages,.. Build 
custom widgets. 


„A Scan Registry and block 
Z unauthorized images 


Inventory and scan as new images are 
added to the registry. Block unapproved 
images from being spun up as Containers. 


e Secure the CI/CD pipeline 


E. 


Integrate images, vulnerability scans into the 
build. FAIL builds, not allowing unsecure 
images to enter the stream 


Container Runtime 
Visibility and Protection 
Find what containers are running, know if the 


runtime got changed from images. Protect 
from changes or breakouts. 
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Use Case #1 
g Visibility into 
your container 


projects 

Overview Dashboard 
Inventory & security posture widgets 
* Container Hosts 

* Count of images, containers 

* Containers by state 

* Vulnerable images 


Personalize and add custom widgets 


Container Security DASHBOARD ASSETS EVENTS CONFIGURATIONS 


W Last30Days Y 


TOTAL IMAGES TOTAL CONTAINERS ET 


605 547 


IMAGE DISTRIBUTION BY REGISTRY CONTAINER DISTRIBUTION BY ST) 
docker.io 260 
art-hq.intranet.qualys.com:5001 55 


520985521435.dkr.ecr.ap-southeast-1.amazonaws.... 1 
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DELETED RUNI 


ROGUE CONTAINERS (BY SOFTWARE DIFFERENCES) ROGUE CONTAINERS (BY VULNER 
New 2 Fixed 
Removed 2 Varied 
New 


IMAGE DISTRIBUTION BY VULNERABILITY SEVERITY CONTAINER DISTRIBUTION BY VU 
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Know where your = - 


Dashboard Assets Templates Connectors 


Co n ta i nersa re? Docker Container Hosts Visibility - 


. Ka 
* Inventory of all Container Hosts T 
across your datacenters, public ‘ = 
clouds, laptops,.. i 1. —Q 
= 
* Know how the host vulnerabilities, ——— Y naa 
exploits affect your container Name Operating System Count 
environments = =e 


CONTAINERS 1-10 CONTAINERS 11-20 CONTAINERS 21-30 
l 


Know where your Containers are? 


AssetView v 


Dashboard Assets Templates Connectors 


‘= AssetView Tags Rules 


Saved Searches + 


create widget save 


isDockerHost:"true"| o Search 


Help w 


Log out 


Group assets by... Y 
] Asset Name os 
qcs-g-01 @ Ubuntu Linux 16.04.6 


fe80:0:0:0:506d:7eff:fec1:9bc9, 1 


O qcs-r-1 (9 Ubuntu Linux 16.04.6 
172.17.0.1, 10.138.0.3, fe80:0:0 


O gcs-g2 (9 Ubuntu Linux 16.04.6 
172.17.0.1, fe80:0:0:0:4! aff:fe 


Servers - Datacenter, 
Clouds, etc.. 


isDockerHost: “true” and 
provider: AWS/Azure/GCP 


(vm as 


‘== AssetView 


Saved Searches ~ 


Last Logged-In User Activity 


Sources 


amandern Inventory Scan Complete ) 


operatingSystem:mac and software.name:docker 


Group assets by... 


Asset Name 
102354mbp15.local 


10.0.1.105, fe80:0:0:0:1447:8717.. 


101298mbp15.local 
172.20.0.95 | 101298mbp15 


an haur ann 


Tags Rules 


os 


& Mac OS X 10.13.6 


& MacOSX 10.13.6 


v 


Modules 


Last Logged-In User 


mquealy 


mwalker 


create widget save 


Developer Mac laptops 


Activity 
Scan Complete 


11 hours ago 


Scan Complete 
13 hours ago 


Image Inventory and Smart Searches 


Container Security DASHBOARD ASSETS EVENTS CONFIGURATIONS India Naccount (quays_nn) 


Images Containers 


Search 
based on all 
attributes 68 


Total Images 


vulnerabilities.severity: "Severity 5" and repo.registry:"docker.io" 


1-50 of 68 


docker.io elasticsearch Feb 06, 2018 [ latest Ü 7 


Image Id: 7b3c18d8f363 On Hosts: 1 ^o -— 
. 
Pr eset ui ck LABELS docker.io redis Feb 06, 2018 | latest 1 3 Image info 
q NGINX Docker M... 3 Image Id: de560ba5403e On Hosts:1 (00 al e R H t 1 f 
s 0-9 7". 1 eg IS ry INTO 
sea rch fi Iters GPLv2 1 docker.io kibana Feb 06, 2018 I latest 0 3 P 
Id tif /Dockerfile 1 Image Id: 9ef680b9e227 On Hosts: 1 = . Containers 
- enti Git 2 - 
. y CentOS Base Ima... 1 docker.io node Feb 01,2018 p latest 0 3 for this 
Ima g es by Opsxca@Strm.Sh 1 EERE - moms in 
3 à Bad-Dockerfile 1 I m a g e 
app lication Centos 1 docker.io httpd Jan 26, 2018 | atest 1 3 | bil 
Reference Docke... 1 Image Id: 2e202f453940 On Hosts: 1 0 m — e. Vu n era i it 
| a be | S Https://Github.C... 1 y 
Show less epit: ? 
Image Id: e25e005ebec1 On Hosts: 1 = posture s 
REGISTRY m E Jan19,2018 latest 0 14 * Easy drill 
Docker.lo 68 Image Id: 0ee0d104030e On Hosts: 2 — 1 
Art-Ha.Intranet.O... 1 down for 
docker.io tomcat Jan 18, 2018 [ latest 0 13 

VULNERABILITIES Image Id: 66bbed06c8cd On Hosts: 1 EL comp lete 
cca z z docker.io kibana Jan 17, 2018 I latest 0 10 inve nto ry 
Severity 4 E Image Id: 6ded4c70c32d On Hosts: 1  — 
Severity 3 59 


© Qualys. 


Use Case #2 
^, Secure the 


CI/CD pipeline 
Block vulnerable images 
in the build 


(9 
in] 


AUTOMATED 
a © ay ests 
. o DOCKER 
> o > m Jenkins — © P  neposiTORIES 
= = QUALYS 
DEVELOPERS eas VULNERABILITY FAIL 


| ANALYZER 


* TeamCity, CircleCI - Support coming soon 


Download the Qualys 
Vulnerability Analysis plug-in 
for Jenkins and install on the 
Jenkins master 


Install the Qualys Container 
Sensor on the Jenkins worker 
nodes 


Set up policies to Pass/Fail the 
build. Ex: No Sev.5 vulnerabilities, 
> CVSS 7, specific OID, 
vulnerabilities count. Etc. 


Plugins: 
@ Jenkins € Bamboo prc) ə, 


REST APIs for any other 
integrations. 


Actionable Vulnerability Information 


@ Jenkins 


Jenkins pipeline-project 


Qualys Report For e8d112117588 


@ Qualys BUILD REPORT - e8d112ff7588 


Build Summary 


Build Status: Failed Image ID: ef 
Vulnerabilities 
Tags: latest Size: 828 MB 


Installed Software 


Layers Build Summary 


The vulnerabilities count by severity for image id e8d112117588 exceeded one of the configured threshold value 
Configured : Severity 1 > 0; Severity 2 > 0; Severity 3 > 0; Severity 4 > 0; Severity 5 > 0. 
Found : Severity 1: 0, Severity 2: 1, Severity 3: 11, Severity 4: 2, Severity 5: 0 


Vulnerabilities Trend Confirmed Vulnerabilities (10) 


Qualys Report For e8d112ff7588 ENA 


Sev 1 (0) 


INSTALLED SOFTWARE 


Show 10 entries Search a 76259| 


IM Confirmed vulnerabilities in current build 
Comparing with build #77 


Potential Vulnerabilities (4) Patchability Name Installed Version Fixed In Version 
libmagickwand-dev A 8:6.9.7 4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
E Sev 5 (0) H ves (12) libmagickwand-6-headers Å 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
E Sev 4 (1) W No (2) 
B Sev 3 (2) 
Bi Sev2 (1) libmagickcore-dev Ay 8:6.9.7.44dfsg-11-«deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
Sev 1 (0) 
libmagickcore-6-headers Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
imagemagick-6.q16 Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.44dfsg-114deb9u4 
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»)Use Case #3 
Scan Registry and 
block 


unauthorized 


Vulnerable Images per 
e 


m e Registry 
Images from 


images being shipped 


Know your 
Registries 


Inventory Registry 
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Cloud Security DASHBOARD ASSETS EVENTS CONFIGURATION gframe-standard (123) @ Z 


Configuration Images 
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| 60 < Create New: Registry 


STEPS 1/2 


e Registry Information Registry Information 


Ruwing | Dockerio 4 73 35 16 


Name and select the type for this registry. If Public, add credentials if needed. 
REGISTRIES Last scanned on: Apr 21, 2018 Scen Settings 
Docker.io 100 REGISTRY TYPE 
AWS ECR 60 — 6 0 A 0 Select one v 
AZURE ECR n Ubuntu 
GCR Last scanned on: Apr 21, 2018 
v2 AWS ECR 
Artifact Finished MongoDB 16 154 64 33 DockerHub 
Last scanned on: Apr 21, 2018 Artifactory V2 
STATUS Docker Trusted Registry 
Completed 3.01K 
Running 982 EE — BusyBot 8 10 5 3 
Scheduled 89 Last scanned on: Apr 21, 2018 Docker V2 Private 
Running waf-appliance 22 22 9 7 
Last scanned on: Apr 21, 2018 | PASSWORD: 
Rüming " ^ oraclelinux 3 6 6 1 e | © 
Last scanned on: Apr 21, 2018 


* Support coming soon 
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Setup Scans 
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€ Create New: Registry 


STEPS 1/2 
Basic Information 
Scan Settings 
Configure scan frequency 


for image vulnerability 
analysis 


Automate scanning of Qi 
images every day at a 
scheduled time 


Scan Settings 


Choose scan type to set scan setting parameters 


IE 
On Demand: The sensor will do a one-time pull and scan 


On Demand f rep itories/images from the registry. 


On Demand 


Automatic 


— NENE 


* Support coming soon 
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Policy based Orchestration 


Blocking unapproved images spun up as containers 


n — C) — 
IMAGES C APPROVED 
ADMISSION 


iul 


CONTROLLER QUALYS 


> 
NODEs 


* Support coming soon 
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Use Case #4 


Runtimes Drifts & 


Protection 


Detect Containers breaking 
off from “immutable” 
behavior 


and Block/Kill/Quarantine 
them. 


Identify potential breaches in containers 


“Rogue” Containers, differ from their 
parent Images by vulnerability, software 
package composition, behavior, etc 


Image Associations 


Containers (3) 


Q 


CONTAINERS 


Hosts (1) 


[7 view full list 


ROGUE CONTAINERS BY TYPE @ 


NENNEN 3 


lll RUNNING 
|^ STOPPED 


21 days ago 


21 days ago 


21 days ago 


Mar 22, 2018 


Dec 19, 2017 


Dec 19, 2017 


2 IM Vulnerability 
Both 


ea90cb120a88 
demoapplicationshq. worker.1.0wln 


e8f6c2d60aa9 
demoapplicationshg. worker.1.mo61 


2ac2753c040a 
demoapplicationshg worker.1.gcx8 


1 


qwbqadocker2 
10.11.61.54 


qwbqadocker2 
10.11.61.54 


qwbqadocker2 
10.11.61.54 


IM Software 


1-3of 3 


Containers breaking off from the 


“immutable” behavior 
Qualys. 


Activity Monitor 


v Top 10 Containers and Images by Activity 


Containers Images 


host: prod-domain-291 


host:prod-load286 


host: prod-app-257 


host: prod-web-291 


Anomalies 


Qualys+Ll Q3 2019 


Drill down to the 
details, 


Identify activity in 
the containers 
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Activity Monitor Date Range Last 7 Days v 


Container Details 


Just now 


sys read tartara dere ceeded eee eet ttl 
sys_write 
sys_open 
sys_close 


sys_stat 


sys_fstat iari ir d b b E E RRR EEREOD 


Sys Istat 


Sys writev 


Sys pipe 


Activity Monitor Date Range Last 7 Days v 


Event Details 


Just now 


Process /usr/sbin/httpd was blocked from executing /bin/sh. Severity: High 


Raw log: 


/usr/sbin/httpd Sys execve /bin/sh 11/13/2018, 12:48:28AM 


Processes executing /usr/sbin/httpd: 


e /usr/sbin/httpd 


Processes accessing /usr/sbin/httpd 


e /usr/sbin/httpd 


Oualys Container Security 


Protection for container 


Host Protection CIS Benchmarks . 
infrastructure stack 


Accurate insight and control 


Scanning & Compliance of container images 


Automated analysis and 


=p age H b = H 
Visibility & Protection irem TS Roi dif UNIT. 
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Oualys 'Container Security' Sensor Options 


Qualys-Layered Insight 


Qualys Container Sensor 
Embedded option 


Side-car* 
Or [ee O exe ne) O 
O O O O © O © 
=) =) En] =) 3) =) Di 
or C (CAP TIN c (cb [ear 
Os s 5 5 E X E 
=) =) ia) =) 2) =) > 
D D O D D D (D 
ERI CEN T RON aw S E 


* Qualys side-car to 'all' containers on the node. Runs today as non-privileged. 
As features of compliance and enforcements are added the mode will change 


to Privileged, with option to revert to non-privileged 
© Qualys. 


Sensors for every use case 


PRE-DEPLOYMENT PHASE POST-DEPLOYMENT PHASE 


. aws 
e) Jenkins docker TA cm, 
"n E Ha 


(Bamboo Ag Ag .9. A C A 


BUILD ) REGISTRY ) RUNTIME HOST 


y | J 


Cloud Agent or 


i (Q) 
oo @ 2 Rayer ee In erna Scanner Appliances 
IUE sar 5 and Container PP 
"© Sensor** 


* Layered In option for runtime protection 
** Prevention from starting off malicious containers 
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Thank You 


Hari Srinivasan 
hsrinivasan@gualys.com 


